Archive for the ‘Internet Security’ Category

Security experts Wednesday warned that Mozilla Corp.’s Firefox browser has an unpatched flaw that lets criminals pilfer Web site or account passwords, and said that the tactic has already been used on MySpace to steal log-in information from users of the popular social networking service. Dubbed the “Reverse Cross-Site Request” vulnerability by its discoverer, the vulnerability is in Firefox’s password-saving feature. Attackers can exploit the flaw by crafting malicious HTML code that hijacks a username and password from a legitimate site, such as a blog or message forum, then transports the log-in to another site.

Users would not notice that the theft had even taken place, said Robert Chapin, who reported the bug to Mozilla earlier this month. Microsoft’s Internet Explorer is also vulnerable to RCSR attack, added Chapin, although circumstances make it less likely that attackers will exploit the bug in IE. Current versions of Firefox, including 1.5.0.8 and 2.0, are vulnerable to RCSR attack; until a patch is available, users can deflect such attacks by disabling the automated password saving feature. In Firefox, users should select Tools|Options|Security, then clear the box marked “Remember passwords for sites.” Let’s hope it will be fixed soon. Anyway, still way better than all these ActiveX bugs in IE…